RE: snmp vulns, symptoms, S-train

From: Barry Raveendran Greene (bgreene@cisco.com)
Date: Mon Feb 25 2002 - 02:01:36 EST


Hi Charles,

Lets get you on the phone with TAC and have them plug you into PSIRT.

Barry

> -----Original Message-----
> From: Charles Sprickman [mailto:spork@inch.com]
> Sent: Sunday, February 24, 2002 8:10 PM
> To: cisco-nsp@puck.nether.net
> Subject: snmp vulns, symptoms, S-train
>
>
> Hi,
>
> I'd read the advisory, and I *thought* I had the workaround correct, but
> now I'm thinking it's not... One of our routers stopped speaking ospf and
> could not be telnet'd or ssh'd to. I hit the console from our term server
> and just got the message:
>
> %% Low on memory; try again later
>
> Ugh. Looking over at the loghost I found this repeated over and over:
>
> Feb 23 23:58:42 edge-1-loopback-var 936: -Process= "IP SNMP", ipl= 0, pid=
> 60
> Feb 23 23:58:42 edge-1-loopback-var 937: -Traceback= 60253188 60254E40
> 605EC934 605F1388 605F3410 60611B4C 605EDF20 605EDEA0 60601E78 60323B70
> 6024C67C 6024C668
> Feb 23 23:59:12 edge-1-loopback-var 938:
> Feb 24 04:59:11.806 UTC: %SYS-2-MALLOCFAIL: Memory allocation of 16 bytes
> failed from 0x605EC92C, alignment 0
> Feb 23 23:59:12 edge-1-loopback-var 939: Pool: Processor Free:
> 7748 Cause: Mem ory fragmentation
> Feb 23 23:59:12 edge-1-loopback-var 940: Alternate Pool: None Free: 0
> Cause: No Alternate pool
>
> This repeats, and eventually a similar message about the OSPF process
> starts appearing, and that's when I started getting pages. I killed all
> the links back to this router from the other side, and after about five
> minutes the console came back and I was able to disable snmp completely
> and reload it. Been fine so far...
>
> So is this the "expected" result of the snmp bug being fondled remotely?
>
> This router is on: 12.0(19.6)S, others are running: 12.0(20.3)S1.
>
> Any issues in going up to the latest "S"?
>
> Hope some of this info helps; it seems like if you can isolate the router
> from the net while under attack, you may be able to save a trip in to flip
> the power switch...
>
> Thanks,
>
> Charles
>
> | Charles Sprickman | Internet Channel
> | INCH System Administration Team | (212)243-5200
> | spork@inch.com | access@inch.com
>
>
>
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:05 EDT